New IIS Backdoor Identified in Microsoft Exchange Servers

Security researchers at Kaspersky have sounded the alarm about a new malware threat that is being used to gain persistent, stealthy access to corporate Microsoft Exchange servers. The malware allows the threat actor to steal email data and gain full control of the victims’ infrastructure. Currently, detection rates by antivirus software engines are poor. Despite the malware having been in use for several months, many of the infections have still not been detected by AV software. The researchers explained that deploying backdoors via IIS is a new trend for threat actors.

The malware, dubbed SessionManager, was set up as a malicious module within Internet Information Services (IIS). When the malware is propagated, it starts collecting emails immediately. The malware has been used in attacks on companies since at least March 2021 and at least 34 Exchange servers at 24 companies are known to have been compromised to date, with the targets mostly in Africa, East and Southeast Asia, Europe and the United Kingdom, and the Middle East. Most of the targets identified so far have been NGOs and government agencies, although some oil companies, transportation companies, and healthcare organizations have also been attacked.

Kaspersky researchers performed a scan to identify infected Exchange Servers and report that 90% of the organizations that were targeted with the malware are still infected. It is currently unclear which threat group is behind the malware, although the researchers did find similarities with a malicious IIS module called Owowa, which has been used to steal credentials when users log in using Outlook Web Access. The types of organizations targeted and the common use of OwlProxy have led Kaspersky researchers to believe that SessionManager is being used by the Gelsemium group for espionage purposes.

“Gaining visibility into actual and recent cyberthreats is paramount for companies to protect their assets. Such attacks may result in significant financial or reputational losses and may disrupt a target’s operations. Threat intelligence is the only component that can enable reliable and timely anticipation of such threats,” said Pierre Delcher, Senior Security Researcher at Kaspersky’s Global Research and Analysis team. “In the case of Exchange servers, we cannot stress it enough: the past-year’s vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants, if they were not already.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of